The DMV Is Selling Your Data To Vast Array Of Third Parties
from the dysfunction-junction dept
Another day, another data privacy scandal. This time the focus is on the Department of Motor Vehicles, which has been busted selling DMV user data to a laundry list of third parties, without always making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators. And while some of the data is in bulk and "anonymized," we've long noted that doesn't mean what you think it does.
The collection and sale of sensitive user data is particularly problematic for those dealing with stalkers or other jackasses:
"The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking," Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. "For survivors, their safety may depend on their ability to keep this type of information private."
Granted all of this is perfectly legal due to the Driver's Privacy Protection Act (DPPA), a 90's law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.
While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. The documents obtained by Motherboard show that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities. The practice is, unsurprisingly, hugely profitable:
"DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email "Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees." Examining that document shows that Wisconsin's revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found."
Most DMVs say that they inform customers (in fine print) that their data may be sold, and that they've cut off access to data by firms that they've found to have abused the access. But given the wild west nature of US privacy law (read: we don't have many and the ones we do have are riddled with issues and loopholes), there's not much of a mechanism to confirm this data isn't being abused, or that DMVs are doing a particularly good job of dealing with issues when the data is being access by malicious parties. In response to the investigation, Presidential hopeful Bernie Sanders demanded more comprehensive oversight:
"The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago. Nobody—from agencies like the DMV to large corporations like Facebook and Google—should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.
Granted it's hard to reform US privacy law when a broad coalition of industries are using every lobbying trick in the book to prevent said reform from taking place. And while a lot of companies publicly state they want a new privacy law, what they really mean is for Congress to pass another flimsy, loophole-filled law their lawyers wrote, that will primarily serve to pre-empt more comprehensive state and federal privacy proposals.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data, dmv, privacy, selling data
Reader Comments
Subscribe: RSS
View by: Time | Thread
It's not just about privacy, it's about government, not business
The Government should not be in the business of selling anything, especially private information gleaned from requirements generated for enforcement purposes, and they certainly shouldn't be selling votes, as they often do. To begin with, it's our information, not theirs. Secondly the Government isn't a business, it's a government.
Now if the Government comes into possession of something they no longer need, and that something has some value, then they could transfer it off their books for a consideration to a private entity. But in the instances related in the article, the data being sold is imaginary property and it isn't like the government doesn't need it any more.
If they are in need of money, maybe they should take a good hard look at some of their wasteful spending. We don't need bridges to nowhere, and we don't need military projects that don't work, and we don't need a military industrial complex. There are too many other complex's to deal with, like politician's egos and political parties.
[ link to this | view in chronology ]
Re: It's not just about privacy, it's about government, not busi
They've been in the business of selling child sex slaves for decades now at least.
[ link to this | view in chronology ]
Re: it's about government
"The Government should not be in the business of selling anything,"
.,.
But YOU are the "Government" ! America is a democracv, right.
Your state governor and legislators fully control the DMV ... and they obviously support their DMV selling private citizen data -- a long established government policy.
You voted for these state officials ... or at least fully endorsed the electoral process that put them in power.
Thus, you have NO right to complain about the state "government" that officially represents you.
The Government is You !
(or are you one of those flakes that doesn't trust government generally?)
[ link to this | view in chronology ]
Re: Re: it's about government
What in gods name makes you think you know how I voted?
Beyond that, governments in general have given plenty of reason not to trust them. However, there are specific reasons for not trusting them, not general reasons.
[ link to this | view in chronology ]
Re: Re: Re: it's about government
...relax, nobody said they knew how you vote.
You made a broader point about government, as did I (with an exaggerated style for emphasis).
Trust in your elected officials is not a granular concept -- you either trust them or you don't.
Voting isn't a piecemeal proposition either. By participating in elections, you agree to abide by the results -- which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners.
That.s how elections work, though few people recognize the deeper principles of representative democracy.
So do you trust your government or not?
[ link to this | view in chronology ]
Re: Re: Re: Re: it's about government
Not.
I don't like our election process. I don't like political parties. I don't like soft money in politics. I don't like politicians not being held accountable. I don't like politicians voting in favor of something that is not in their constituencies best interest. I don't like the way the Senate implements its advise and consent roll. Etc.. This is the short list.
And I really don't like that all of these are fixable, but power hungry politicians won't do anything about it because they like the power they have, and fixing things might remove either their power or them from their power position.
I am waiting for a list of reasons to actually trust the government, that isn't laughably strained. Even some of our founding fathers had little faith in governments. For example:
[ link to this | view in chronology ]
Re: Re: Re: Re: it's about government
"Trust in your elected officials is not a granular concept -- you either trust them or you don't."
Trust is earned, it is neither given nor demanded.
"By participating in elections, you agree to abide by the results"
Wrong. Show from where you get this preposterous idea.
"which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners."
Does this imply that people suffering under a dictatorship, by definition, trust the dictator? I don't think so Tim.
"That.s how elections work"
Wrong again.
"deeper principles of representative democracy"
Not sure what you are getting at here but it smells like bullshit.
Why would anyone trust their government? I challenge you to come up with one good reason to do so. Many people consider it their responsibility to keep their government in check rather than simply giving them carte blanche.
[ link to this | view in chronology ]
Re: Re: Re: it's about government
damn chill out!
[ link to this | view in chronology ]
Re: Re: it's about government
RE: those flakes that doesn't trust government generally
The idea behind that is to make such people so mistrustful of government on principle that it doesn't occur to them that
a) they effectively ARE the government, and
b) they can effect change if they engage more and get others to join them.
As you may have noticed, this is working like a Fascist dream; disengaged people shout about rebellion and revolution but it just doesn't click with them that they could, like, totally call their representatives or campaign for change like the sensible people do.
[ link to this | view in chronology ]
Re: It's not just about privacy, it's about government, not busi
Its a shame that Americans have been subjected to the dictatorship of the DMV across our country.
[ link to this | view in chronology ]
The DMVs have done this for a while. Get an account at publicdata.com and you'll have access to that data from whichever states have made the data available. Texas is the worst offender.
[ link to this | view in chronology ]
It's interesting that it seems to be ok if they simply tell you ahead of time that they are doing it. Sorta like when they steal your stuff because your stuff violated the law, they tell you in advance because that makes it ok.
[ link to this | view in chronology ]
Rhode Island informs us...
I'm a Rhode Island resident, and I very clearly remember seeing a checkbox on the license renewals which would grant them permission to sell your data to third parties. I remember it because it seemed rather idiotic -- I never give them permission, and I'm not sure why anyone would, but I assume they're counting on people not actually reading the damn contracts they're signing and just checking boxes at random...
Here's the form...top of section G. Note that it is NOT opt-out, you must select either yes or no.
http://www.dmv.ri.gov/documents/forms/license/LI-1.pdf
So, are they violating that and selling information without consent? Because otherwise, what they're doing kinda sucks, but it's also kinda your own fault if you get screwed by it....
Heck, even Sanders as quoted only said that they shouldn't do it "without meaningful consent". I think what they already have counts as 'meaningful consent'. What more would you want -- are they supposed to send out a separate letter every single time they want to sign a new sales contract? That would be pretty annoying to those of us who just want to give a blanket 'NO'. Perhaps they could improve the language/layout of the form a bit...but it's NOT buried "in fine print" as claimed in the summary above, it's NOT an opt-out, it's NOT automatic...you have to give them a clear "YES, you have permission to share my data". Seems like meaningful consent to me. It's not perfect, but it's a FAR higher ethical standard than most data collection agencies that keep it buried in some click-through EULA that they damn well know most users aren't reading.
[ link to this | view in chronology ]
Re: Rhode Island informs us...
I think the problem is the "unless otherwise authorized by law" proviso in the consent checkbox. They never say anywhere exactly what disclosures are authorized by law. If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?
IMO the rule should be that government agencies that collect personal data SHALL NOT disclose that data to any other party except to:
[ link to this | view in chronology ]
Re: Re: Rhode Island informs us...
Worse, they ask whether you authorize "such disclosure". But what does "such" mean? Disclosure authorized by law, or other than authorized? We may as well be checking boxes at random if we don't know what "Yes" and "No" mean. (But, at least "no" looks like a safe choice. Authorize nothing unless you're sure.)
[ link to this | view in chronology ]
Re: Re: Re: Rhode Island informs us...
Yeah, as I said they could improve the wording a bit, but I don't think it's THAT bad when you include the full context. Because the question starts with "EXCEPT", therefore you know that it does not apply to the disclosures authorized by law, so "such disclosures" can only mean those which would require consent.
[ link to this | view in chronology ]
Re: Re: Rhode Island informs us...
"If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?"
I hope not, though it's not THAT hard to go look up some laws. If that was authorized, I'd certainly find that newsworthy. But "agency which asks users if they'd allow disclosing data is disclosing data!!!11!" is a pretty worthless headline, and that's certainly all I'm seeing in this article...
[ link to this | view in chronology ]
How long will it be to discover your finger print was sold and then placed at the scene of a crime?
[ link to this | view in chronology ]
Re:
Fingerprint analysis has been shown to be frequently unreliable anyway
[ link to this | view in chronology ]
Re: Re:
More people have died in prison because of fingerprint analysis. That's funny.
[ link to this | view in chronology ]
Re: Re:
People have gone to prison based on far less though. Just do a web search for "bite mark analysis in criminal prosecutions" and you'll find page after page after page of insanity -- people going to prison based on a PHOTO of a bite that "experts" claimed was a match, EVEN WHEN THE DNA IN THE SALIVA DID NOT MATCH. Heck, even when there was one expert saying the bite mark matched, and a second expert saying that it didn't, and that was the only evidence presented...the guy still ended up in prison. You must be incredibly naive if you think "fingerprints are unreliable anyway" would be a sufficient defense in court...
[ link to this | view in chronology ]
What would happen if a European citizen got a license in some US state? Would their DMV info have to be handled by GDPR policies? What would the penalties be if it wasn't?
Just thinking that might be an interesting angle of attack here, if all Europeans with US licenses flagged up the DMV.
[ link to this | view in chronology ]